Rock64-wall image
#4
Add shorewall

apt-get install shorewall

nano -w /etc/default/shorewall

Change

startup = 0 to startup = 1

Copy the example rules from 

/usr/share/doc/shorewall/examples/two-interfaces/

cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/interfaces
cp /usr/share/doc/shorewall/examples/two-interfaces/masq /etc/shorewall/masq
cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/policy
cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/rules
cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/zones

Here are the contents of mine and apart from rules with an additional DNS rule of loc to fw & webmin, ntp all are verbatum.

/etc/shorewall/interfaces


#

# Shorewall - Sample Interfaces File for two-interface configuration.

# Copyright © 2006-2015 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-interfaces"

###############################################################################

?FORMAT 2

###############################################################################

#ZONE INTERFACE OPTIONS

net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     eth1            tcpflags,nosmurfs,routefilter,logmartians


/etc/shorewall/masq

#

# Shorewall - Sample Masq file for two-interface configuration.

# Copyright © 2006-2015 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-masq"

################################################################################################################

#INTERFACEBig GrinEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL

# GROUP DEST
eth0 192.168.0.0/16

/etc/shorewall/policy

#

# Shorewall - Sample Policy File for two-interface configuration.

# Copyright © 2006-2015 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-policy"

###############################################################################

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST



loc net ACCEPT

net all DROP info

# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info

/etc/shorewall/rules


#
# Shorewall - Sample Rules File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
Invalid(DROP) net all tcp

#       Don't allow connection pickup from the net
#
# Accept NTP connections from the firewall to the network
ACCEPT $FW net udp 123
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
#
# Accept DNS connections from the local network to the network
DNS(ACCEPT) loc $FW
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW

#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping(DROP) net $FW

ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#Webmin
ACCEPT loc $FW tcp 10000



/etc/shorewall/zones


#

# Shorewall - Sample Zones File for two-interface configuration.

# Copyright © 2006-2014 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-zones"

###############################################################################

#ZONE TYPE OPTIONS IN OUT

# OPTIONS OPTIONS

fw firewall

net ipv4
loc ipv4

So you can now refresh your webmin page and you should automatically get a shorewall admin section.
IP6 is done by shorewall6 and its a duplicate just with IP addresses that twist my melon.
So before anyone says its just an apt-get install shorewall6 if you wish.

Currently we still have the iptables we originally setup but when you do start shorewall it will overwrite those rules with the shorewall setup.

When you stop shorewall it will revert back to a working but open router setup.
So its up to you but to run with shorewall only then firstly


systemctl enable shorewall

As to be honest I think its needed even if the docs I read never mentioned it.

If you want to take out the rules that we originally created and test shorewall only.

nano /etc/network/interfaces.d/eth1

auto eth1

iface eth1 inet static

address 192.168.0.1

network 192.168.0.0

netmask 255.255.255.0

broadcast 192.168.0.255
#post-up iptables-restore < /etc/iptables.up.rules

Comment out the post-up condition with a hash as above.

nano /etc/sysctl.conf
#net.ipv4.ip_forward=1

Again comment out ip_forward.

Click check firewall and if all is ok click apply configuration in webmin.

Then that is the next part done and we are a little more safe with ssh & webmin only available from the local network.

Nextstep is to install openvpn and only allow ssh & webmin on localhost and the only way you can connect is via a vpn.

Which is really how ssh & webmin should be run on any server in my books.

There is a lot of internet chatter about webmin being unsafe which seems to suggest running an admin console public means the software is unsafe.
It so paradoxical that we shall not go there and after the next step once we add the vpn subnet as the only access point to the settings of webmin and ssh dunno just don't get the arguments.
Who would run an web based admin console public??!

So all is good so far with the rockwall next step openvpn.

PS haven't got the functionality to put my rock public and port scan external but the above should find it locked from external access.
Anyone want to check please do.
  Reply


Messages In This Thread
Rock64-wall image - by stuartiannaylor - 10-11-2017, 01:43 AM
RE: Rock64-wall image - by Luke - 10-11-2017, 02:21 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 03:49 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 08:55 AM
RE: Rock64-wall image - by Luke - 10-11-2017, 09:17 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 09:38 AM
RE: Rock64-wall image - by Luke - 10-11-2017, 10:11 AM
RE: Rock64-wall image - by stuartiannaylor - 10-11-2017, 07:27 PM
RE: Rock64-wall image - by stuartiannaylor - 10-13-2017, 07:39 AM
RE: Rock64-wall image - by stuartiannaylor - 10-14-2017, 04:32 AM
RE: Rock64-wall image - by Noobie7 - 03-12-2018, 08:44 PM
RE: Rock64-wall image - by Noobie7 - 03-15-2018, 07:05 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  irradium (based on crux linux) Rock64 riscv64, aarch64 mara 7 1,009 11-19-2024, 02:54 PM
Last Post: mara
  Upgrading ancient Rock64 timxjr1300 0 58 11-15-2024, 09:50 AM
Last Post: timxjr1300
  arch rock64 does not boot nemnob 1 960 09-20-2024, 11:18 AM
Last Post: AwU2HBg
  DietPi OS for ROCK64 MichaIng 42 43,652 09-01-2024, 06:43 AM
Last Post: RaymondDay
Smile First Lakka image for Rock64! Luke 47 81,083 09-01-2024, 06:05 AM
Last Post: RaymondDay
  Rock64 v2 - did not work song / audio sqw200zu 2 1,864 03-14-2024, 03:09 AM
Last Post: dmitrymyadzelets
  Rock64 won't boot dstallmo 0 636 12-27-2023, 10:34 AM
Last Post: dstallmo
  HDMI doesn't work on rock64 Noung1991 1 1,078 11-21-2023, 08:33 AM
Last Post: as365n4
  Rock64 + Klipper + KlipperScreen Instructions godzilla62 0 1,083 10-22-2023, 01:52 AM
Last Post: godzilla62
  Rock64 Debian 11 (Bullseye) install problem jbize 15 11,238 10-12-2023, 05:14 PM
Last Post: tpaul

Forum Jump:


Users browsing this thread: 3 Guest(s)